Merge branch 'develop'

10up · Feb 12, 2021 · 68b24a8 · 68b24a8
2 parents d3c8db6 + e8c675b
commit 68b24a8
Show file tree

Hide file tree

Showing 15 changed files with 61 additions and 14 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,7 +6,7 @@ on:
   push:
     branches:
       - develop
-      - trunk
+      - master
   pull_request:
     branches:
       - develop

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file, per [the Keep a Changelog standard](http://keepachangelog.com/).
 
+## [3.5.4]
+
+This is primarily a security and bug fix release. PLEASE NOTE that versions 3.5.2 and 3.5.3 contain a vulnerability that allows a user to bypass the nonce check associated with re-sending the unaltered default search query to ElasticPress.io that is used for providing Autosuggest queries. If you are running version 3.5.2. or 3.5.3 please upgrade to 3.5.4 immediately.
+
+Security Fix:
+* Fixed a nonce check associated with updating the default Autosuggest search query in ElasticPress.io. Props [@felipeelia](https://github.com/felipeelia)
+
+Bug Fixes:
+* Fix broken click on highlighted element in Autosuggest results. Props [@felipeelia](https://github.com/felipeelia)
+* Properly cast `from` parameter in `$formatted_args` to an integer to prevent errors if empty. Props [@CyberCyclone](https://github.com/CyberCyclone)
+
+Enhancements:
+* Add an `ep_is_facetable` filter to enable custom control over where to show or hide Facets. Props [@moraleida]
+* Improvements to contributing documentation and tests. Props [@jeffpaul](https://github.com/jeffpaul) and [@felipeelia](https://github.com/felipeelia)
+
 ## [3.5.3]
 
 This is a bug fix release.

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -28,6 +28,7 @@ The `develop` branch is the development branch which means it contains the next
 
 ## Release instructions
 
+1. If the new version requires a reindex, add its number to the `$reindex_versions` array in the `ElasticPress\Upgrades::check_reindex_needed()` method. If it is the case, remember to add that information to the Changelog listings in readme.txt and CHANGELOG.md.
 1. Branch: Starting from `develop`, cut a release branch named `release/X.Y.Z` for your changes.
 1. Version bump: Bump the version number in `elasticpress.php`, `package.json`, `readme.txt`, and any other relevant files if it does not already reflect the version being released.   In `elasticpress.php` update both the plugin "Version:" property and the plugin `EP_VERSION` constant.
 1. Changelog: Add/update the changelog in `CHANGELOG.md` and `readme.txt`, ensuring to link the release in the footer of `CHANGELOG.md`.
@@ -41,4 +42,4 @@ The `develop` branch is the development branch which means it contains the next
 1. SVN: Wait for the [GitHub Action](https://github.com/10up/ElasticPress/actions?query=workflow%3A%22Deploy+to+WordPress.org%22) to finish deploying to the WordPress.org repository.  If all goes well, users with SVN commit access for that plugin will receive an emailed diff of changes.
 1. Check WordPress.org: Ensure that the changes are live on https://wordpress.org/plugins/elasticpress/.  This may take a few minutes.
 1. Close milestone: Edit the [milestone](https://github.com/10up/elasticpress/milestone/#) with release date (in the `Due date (optional)` field) and link to GitHub release (in the `Description` field), then close the milestone.
-1. Punt incomplete items: If any open issues or PRs which were milestoned for `X.Y.Z` do not make it into the release, update their milestone to `X.Y.Z+1`, `X.Y+1.0`, `X+1.0.0` or `Future Release`.
+1. Punt incomplete items: If any open issues or PRs which were milestoned for `X.Y.Z` do not make it into the release, update their milestone to `X.Y.Z+1`, `X.Y+1.0`, `X+1.0.0` or `Future Release`.
diff --git a/CREDITS.md b/CREDITS.md
@@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Aaron Holbrook (@AaronHolbrook)](https://github.com/AaronHolbrook), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Matt Gross (@mattonomics)](https://github.com/mattonomics), [Chris Marslender (@cmmarslender)](https://github.com/cmmarslender), [Gustave F. Gerhardt (@GhostToast)](https://github.com/GhostToast), [Scott Kingsley Clark (@sc0ttkclark)](https://github.com/sc0ttkclark), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks). [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Jonathan Bardo (@jonathanbardo)](https://github.com/jonathanbardo), [Ryan Boswell (@ryanboswell)](https://github.com/ryanboswell), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Jason Boyle (@Jaace)](https://github.com/Jaace), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Mikael Mattsson (@mikaelmattsson)](https://github.com/mikaelmattsson), [Eduard Maghakyan (@EduardMaghakyan)](https://github.com/EduardMaghakyan), [Allan Collins (@allan23)](https://github.com/allan23), [Doug Stewart (@zamoose)](https://github.com/zamoose), [Hannes Kandulla (@HKandulla)](https://github.com/HKandulla), [Michael Phillips (@mphillips)](https://github.com/mphillips), [Tuan Minh Huynh (@tuanmh)](https://github.com/tuanmh), [Alex Bouma (@stayallive)](https://github.com/stayallive), [James Mehorter (@jamesmehorter)](https://github.com/jamesmehorter), [Chris Wiegman (@ChrisWiegman)](https://github.com/ChrisWiegman), [Gustavo Bordoni (@bordoni)](https://github.com/bordoni), [Joel Garcia Jr (@joelgarciajr84)](https://github.com/joelgarciajr84), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Russell Heimlich (@kingkool68)](https://github.com/kingkool68), [Matthew Spencer (@matthewspencer)](https://github.com/matthewspencer), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [John P. Bloch (@johnpbloch)](https://github.com/johnpbloch), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Brian Watson (@bswatson)](https://github.com/bswatson), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Dana Ross (@dana-ross)](https://github.com/dana-ross), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Ross Luebe (@rossluebe)](https://github.com/rossluebe), [Matt Gibbs (@mgibbs189)](https://github.com/mgibbs189), [Mustafa Uysal (@mustafauysal)](https://github.com/mustafauysal), [Craig Miller (@craigmillerdev)](https://github.com/craigmillerdev), [Ryan Veitch (@rveitch)](https://github.com/rveitch), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Kristoffer Svanmark (@Svanmark)](https://github.com/Svanmark), [Jerry Volfson (@jvolfson)](https://github.com/jvolfson), [David Naber (@dnaber-de)](https://github.com/dnaber-de), [David Arceneaux (@DArcMattr)](https://github.com/DArcMattr), [Ben Cumber (@bcumber)](https://github.com/bcumber), [Nícholas André (@nicholasio)](https://github.com/nicholasio), [Jeremy Madison (@jdmadison)](https://github.com/jdmadison), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Dreb Bits (@drebbits)](https://github.com/drebbits), [Shakeel Sorathia (@ssorathia)](https://github.com/ssorathia), [André Philip Kallehauge (@kallehauge)](https://github.com/kallehauge), [Fabian Marz (@fabianmarz)](https://github.com/fabianmarz), [IWriteThings (@IWriteThings)](https://github.com/IWriteThings), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Jason Bahl (@jasonbahl)](https://github.com/jasonbahl), [Dustin Rue (@dustinrue)](https://github.com/dustinrue), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Mallory Adams (@mallorydxw)](https://github.com/mallorydxw), [John Eismeier (@jeis2497052)](https://github.com/jeis2497052), [Dotan Cohen (@dotancohen)](https://github.com/dotancohen), [Yaron Uliel (@yaronuliel)](https://github.com/yaronuliel), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Vasken Hauri (@brandwaffle)](https://github.com/brandwaffle), [Derrick Koo (@dkoo)](https://github.com/dkoo), [Aaron Brazell (@technosailor)](https://github.com/technosailor), [Johannes Kinast (@goaround)](https://github.com/goaround), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Gassan Gousseinov (@gassan)](https://github.com/gassan), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [Helen Hou-Sandi (@helen)](https://github.com/helen), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [columbian-chris (@columbian-chris)](https://github.com/columbian-chris), [John Spellman (@jspellman814)](https://github.com/jspellman814), [Mindaugas Budreika (@mch0lic)](https://github.com/mch0lic), [Thorsten Ott (@tott)](https://github.com/tott), [William Gladstone (@willgladstone)](https://github.com/willgladstone), [Michael LaRoy (@mlaroy)](https://github.com/mlaroy), [Shady Sharaf (@shadyvb)](https://github.com/shadyvb), [Liam Gladdy (@lgladdy)](https://github.com/lgladdy), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Retro64XYZ (@Retro64XYZ)](https://github.com/Retro64XYZ), [Alex Wybraniec (@alexwybraniec)](https://github.com/alexwybraniec), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Felipe Elia (@felipeelia)](https://github.com/felipeelia), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Christian Chung (@christianc1)](https://github.com/christianc1), [Paul de Wouters  (@pdewouters)](https://github.com/pdewouters), [Edwin Siebel (@edwinsiebel)](https://github.com/edwinsiebel), [Guillaume Kanoufi (@g-kanoufi)](https://github.com/g-kanoufi), [Ames Plant (@amesplant)](https://github.com/amesplant), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [Brandon Skinner (@brandon-m-skinner)](https://github.com/brandon-m-skinner), [johanneson (@johanneson)](https://github.com/johanneson), [Alex Woollam (@alexwoollam)](https://github.com/alexwoollam), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Ramon Ahnert (@Rahmon)](https://github.com/Rahmon).
+[Taylor Lovett (@tlovett1)](https://github.com/tlovett1), [Aaron Holbrook (@AaronHolbrook)](https://github.com/AaronHolbrook), [Ivan Lopez (@ivanlopez)](https://github.com/ivanlopez), [Matt Gross (@mattonomics)](https://github.com/mattonomics), [Chris Marslender (@cmmarslender)](https://github.com/cmmarslender), [Gustave F. Gerhardt (@GhostToast)](https://github.com/GhostToast), [Scott Kingsley Clark (@sc0ttkclark)](https://github.com/sc0ttkclark), [Cole Geissinger (@colegeissinger)](https://github.com/colegeissinger), [Elliott Stocks (@elliott-stocks)](https://github.com/elliott-stocks). [Adam Silverstein (@adamsilverstein)](https://github.com/adamsilverstein), [Ivan Kruchkoff (@ivankruchkoff)](https://github.com/ivankruchkoff), [Jonathan Bardo (@jonathanbardo)](https://github.com/jonathanbardo), [Ryan Boswell (@ryanboswell)](https://github.com/ryanboswell), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [Jason Boyle (@Jaace)](https://github.com/Jaace), [Joey Blake (@joeyblake)](https://github.com/joeyblake), [Mikael Mattsson (@mikaelmattsson)](https://github.com/mikaelmattsson), [Eduard Maghakyan (@EduardMaghakyan)](https://github.com/EduardMaghakyan), [Allan Collins (@allan23)](https://github.com/allan23), [Doug Stewart (@zamoose)](https://github.com/zamoose), [Hannes Kandulla (@HKandulla)](https://github.com/HKandulla), [Michael Phillips (@mphillips)](https://github.com/mphillips), [Tuan Minh Huynh (@tuanmh)](https://github.com/tuanmh), [Alex Bouma (@stayallive)](https://github.com/stayallive), [James Mehorter (@jamesmehorter)](https://github.com/jamesmehorter), [Chris Wiegman (@ChrisWiegman)](https://github.com/ChrisWiegman), [Gustavo Bordoni (@bordoni)](https://github.com/bordoni), [Joel Garcia Jr (@joelgarciajr84)](https://github.com/joelgarciajr84), [Dominik Schilling (@ocean90)](https://github.com/ocean90), [Russell Heimlich (@kingkool68)](https://github.com/kingkool68), [Matthew Spencer (@matthewspencer)](https://github.com/matthewspencer), [Konstantin Kovshenin (@kovshenin)](https://github.com/kovshenin), [John P. Bloch (@johnpbloch)](https://github.com/johnpbloch), [Lukas Pawlik (@lukaspawlik)](https://github.com/lukaspawlik), [Brian Watson (@bswatson)](https://github.com/bswatson), [Matthew McAchran (@mmcachran)](https://github.com/mmcachran), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Dana Ross (@dana-ross)](https://github.com/dana-ross), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [Pete Nelson (@petenelson)](https://github.com/petenelson), [Ross Luebe (@rossluebe)](https://github.com/rossluebe), [Matt Gibbs (@mgibbs189)](https://github.com/mgibbs189), [Mustafa Uysal (@mustafauysal)](https://github.com/mustafauysal), [Craig Miller (@craigmillerdev)](https://github.com/craigmillerdev), [Ryan Veitch (@rveitch)](https://github.com/rveitch), [Ritesh Patel (@Ritesh-patel)](https://github.com/Ritesh-patel), [Kristoffer Svanmark (@Svanmark)](https://github.com/Svanmark), [Jerry Volfson (@jvolfson)](https://github.com/jvolfson), [David Naber (@dnaber-de)](https://github.com/dnaber-de), [David Arceneaux (@DArcMattr)](https://github.com/DArcMattr), [Ben Cumber (@bcumber)](https://github.com/bcumber), [Nícholas André (@nicholasio)](https://github.com/nicholasio), [Jeremy Madison (@jdmadison)](https://github.com/jdmadison), [Ivan Kristianto (@ivankristianto)](https://github.com/ivankristianto), [Dreb Bits (@drebbits)](https://github.com/drebbits), [Shakeel Sorathia (@ssorathia)](https://github.com/ssorathia), [André Philip Kallehauge (@kallehauge)](https://github.com/kallehauge), [Fabian Marz (@fabianmarz)](https://github.com/fabianmarz), [IWriteThings (@IWriteThings)](https://github.com/IWriteThings), [Ricardo Moraleida (@moraleida)](https://github.com/moraleida), [Jason Bahl (@jasonbahl)](https://github.com/jasonbahl), [Dustin Rue (@dustinrue)](https://github.com/dustinrue), [Eugene Manuilov (@eugene-manuilov)](https://github.com/eugene-manuilov), [Mallory Adams (@mallorydxw)](https://github.com/mallorydxw), [John Eismeier (@jeis2497052)](https://github.com/jeis2497052), [Dotan Cohen (@dotancohen)](https://github.com/dotancohen), [Yaron Uliel (@yaronuliel)](https://github.com/yaronuliel), [Oscar Sanchez S. (@oscarssanchez)](https://github.com/oscarssanchez), [Vasken Hauri (@brandwaffle)](https://github.com/brandwaffle), [Derrick Koo (@dkoo)](https://github.com/dkoo), [Aaron Brazell (@technosailor)](https://github.com/technosailor), [Johannes Kinast (@goaround)](https://github.com/goaround), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Gassan Gousseinov (@gassan)](https://github.com/gassan), [Evan Mattson (@aaemnnosttv)](https://github.com/aaemnnosttv), [Helen Hou-Sandi (@helen)](https://github.com/helen), [Peter Sorensen (@psorensen)](https://github.com/psorensen), [columbian-chris (@columbian-chris)](https://github.com/columbian-chris), [John Spellman (@jspellman814)](https://github.com/jspellman814), [Mindaugas Budreika (@mch0lic)](https://github.com/mch0lic), [Thorsten Ott (@tott)](https://github.com/tott), [William Gladstone (@willgladstone)](https://github.com/willgladstone), [Michael LaRoy (@mlaroy)](https://github.com/mlaroy), [Shady Sharaf (@shadyvb)](https://github.com/shadyvb), [Liam Gladdy (@lgladdy)](https://github.com/lgladdy), [John Watkins (@johnwatkins0)](https://github.com/johnwatkins0), [Retro64XYZ (@Retro64XYZ)](https://github.com/Retro64XYZ), [Alex Wybraniec (@alexwybraniec)](https://github.com/alexwybraniec), [Ashar Irfan (@asharirfan)](https://github.com/asharirfan), [Barry Ceelen (@barryceelen)](https://github.com/barryceelen), [Felipe Elia (@felipeelia)](https://github.com/felipeelia), [Tung Du (@dinhtungdu)](https://github.com/dinhtungdu), [Christian Chung (@christianc1)](https://github.com/christianc1), [Paul de Wouters  (@pdewouters)](https://github.com/pdewouters), [Edwin Siebel (@edwinsiebel)](https://github.com/edwinsiebel), [Guillaume Kanoufi (@g-kanoufi)](https://github.com/g-kanoufi), [Ames Plant (@amesplant)](https://github.com/amesplant), [David Chandra Purnama (@turtlepod)](https://github.com/turtlepod), [Brandon Skinner (@brandon-m-skinner)](https://github.com/brandon-m-skinner), [johanneson (@johanneson)](https://github.com/johanneson), [Alex Woollam (@alexwoollam)](https://github.com/alexwoollam), [Michele Cipriani (@ciprianimike)](https://github.com/ciprianimike), [Ramon Ahnert (@Rahmon)](https://github.com/Rahmon). [Casey Gibson (@CyberCyclone)](https://github.com/CyberCyclone),
 
 ## Libraries
 

diff --git a/assets/js/autosuggest.js b/assets/js/autosuggest.js
@@ -265,7 +265,10 @@ function updateAutosuggestBox(options, input) {
 
 	suggestList.addEventListener('click', (event) => {
 		event.preventDefault();
-		const { target } = event;
+		const target =
+			event.target.tagName === epas.highlightingTag.toUpperCase()
+				? event.target.parentElement
+				: event.target;
 
 		if (autosuggestItems.includes(target)) {
 			selectItem(input, target);

diff --git a/dist/js/admin-script.min.js.map b/dist/js/admin-script.min.js.map
diff --git a/dist/js/autosuggest-script.min.js b/dist/js/autosuggest-script.min.js
diff --git a/dist/js/autosuggest-script.min.js.map b/dist/js/autosuggest-script.min.js.map
diff --git a/dist/js/dashboard-script.min.js.map b/dist/js/dashboard-script.min.js.map
diff --git a/elasticpress.php b/elasticpress.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: ElasticPress
  * Description: A fast and flexible search and query engine for WordPress.
- * Version:     3.5.3
+ * Version:     3.5.4
  * Author:      10up
  * Author URI:  http://10up.com
  * License:     GPLv2 or later
@@ -28,7 +28,7 @@
 define( 'EP_URL', plugin_dir_url( __FILE__ ) );
 define( 'EP_PATH', plugin_dir_path( __FILE__ ) );
 define( 'EP_FILE', plugin_basename( __FILE__ ) );
-define( 'EP_VERSION', '3.5.3' );
+define( 'EP_VERSION', '3.5.4' );
 
 /**
  * PSR-4-ish autoloading

diff --git a/includes/classes/Feature/Autosuggest/Autosuggest.php b/includes/classes/Feature/Autosuggest/Autosuggest.php
@@ -637,7 +637,7 @@ public function epio_send_autosuggest_public_request( $blocking = false ) {
 	 * Send the allowed parameters for autosuggest to ElasticPress.io.
 	 */
 	public function epio_send_autosuggest_allowed() {
-		if ( ! empty( $_REQUEST['ep_epio_nonce'] ) && ! wp_verify_nonce( $_REQUEST['ep_epio_nonce'], 'ep-epio-set-autosuggest' ) ) {
+		if ( empty( $_REQUEST['ep_epio_nonce'] ) || ! wp_verify_nonce( $_REQUEST['ep_epio_nonce'], 'ep-epio-set-autosuggest' ) ) {
 			return;
 		}
 		if ( empty( $_GET['ep_epio_set_autosuggest'] ) ) {

diff --git a/includes/classes/Feature/Facets/Facets.php b/includes/classes/Feature/Facets/Facets.php
@@ -184,6 +184,19 @@ public function front_scripts() {
 	 * @return bool
 	 */
 	public function is_facetable( $query ) {
+
+		/**
+		 * Bypass the standard checks and set a query to be facetable
+		 *
+		 * @hook ep_is_facetable
+		 * @param  {bool}     $bypass Defaults to false.
+		 * @param  {WP_Query} $query  The current WP_Query.
+		 * @return {bool}     true to bypass, false to ignore
+		 */
+		if ( \apply_filters( 'ep_is_facetable', false, $query ) ) {
+			return true;
+		}
+
 		if ( is_admin() ) {
 			return false;
 		}
@@ -318,7 +331,7 @@ public function facet_query( $query ) {
 	 * @since  2.5
 	 */
 	public function get_aggs( $response, $query, $query_args, $query_object ) {
-		if ( empty( $query_object ) || 'WP_Query' !== get_class( $query_object ) || ! $query_object->is_main_query() ) {
+		if ( empty( $query_object ) || 'WP_Query' !== get_class( $query_object ) || ! $this->is_facetable( $query_object ) ) {
 			return;
 		}
 

diff --git a/includes/classes/Indexable/Post/Post.php b/includes/classes/Indexable/Post/Post.php
@@ -1358,7 +1358,7 @@ function( $tax_query ) use ( $args ) {
 		}
 
 		if ( isset( $args['offset'] ) ) {
-			$formatted_args['from'] = $args['offset'];
+			$formatted_args['from'] = (int) $args['offset'];
 		}
 
 		if ( isset( $args['paged'] ) && $args['paged'] > 1 ) {

diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "elasticpress",
-  "version": "3.5.3",
+  "version": "3.5.4",
   "license": "GPL-2.0-or-later",
   "description": "A fast and flexible search and query engine for WordPress.",
   "devDependencies": {
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,7 @@ on: @@
       push:
         branches:
           - develop
-          - trunk
+          - master
       pull_request:
         branches:
           - develop
@@ Expand Down @@